Hello, I’m hosting a #Vaultwarden server behind #Caddy 2.10 and made the following test:
Tuning Caddy to allow only #PQC curves:
tls {
curves x25519mlkem768
}
Trying to connect with #Firefox Mac -> OK
Trying to connect with #Bitwarden #android client -> Fail
Without the #TLS tuning, the Bitwarden Android client will happily connect to the server.
Is it a problem with the Bitwarden Android client or with Android, or both?
Merely saying 'We speak a secret tongue' is not enough. One's wizards must speak the appropriate tongue, and speak it only in a most cautious fashion. #cybersecurity #TLS https://cromwell-intl.com/cybersecurity/ssl-tls.html?s=mc
With the proper documents, any may pass and be trusted. #TLS #LetsEncrypt #Linux #OpenSource https://cromwell-intl.com/open-source/letsencrypt-tls-cert-godaddy.html?s=mc
A recent research has exposed more than 40 * 10³ IoT cameras happily showing their feed _and_ location to anyone who can browse and use search engines specialized in the indexing of the misconfigured devices.
More than 14 * 10³ are localised in the USA.
Read more here.
Note:
I know that there are more than a million of these cameras world wide misconfigured an open on just port 80 http not even TLS 443, with admin / admin as credentials 
https://www.theregister.com/2025/06/10/40000_iot_cameras_exposed/
A secure HTTPS connection starts with an SSL/TLS handshake, during which the browser and the server verify each other’s identities, choose encryption protocols, and share cryptographic keys to create a protected communication channel
Here is how SSL/TLS handshake works step by step 
#infoeec #privacy #tls #encryption
Find high-res pdf books with all my #cybersecurity related infographics at https://study-notes.org
Nutzt du Client Authentication mit TLS-Zertifikaten?
More interesting progress trying to make #swad suitable for very busy sites!
I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed. 
So I read some scientific papers 
... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen. 
Maybe it could do even more, didn't try yet.
Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...
(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: https://dl.acm.org/doi/10.1145/248052.248106
By consulting the proper documents, one may speak a secure and secret tongue. #TLS #LetsEncrypt #OpenSource https://cromwell-intl.com/open-source/google-freebsd-tls/tls-certificate.html?s=mc
Learn the subtle battle language used in the realm of the clouds. #TLS #FreeBSD #GoogleCloud #OpenSource https://cromwell-intl.com/open-source/google-freebsd-tls/https-headers.html?s=mc
Solved! 
This was a pretty "interesting" bug. Remember when I invented a way to implement #async / #await in #C, for jobs running on a threadpool. Back then I said it only works when completion of the task resumes execution on the *same* pool thread.
Trying to improve overall performance, I found the complex logic to identify the thread job to put on a pool thread a real deal-breaker. Just having one single MPMC queue with a single semaphore for all pool threads to wait on is a lot more efficient. But then, a job continued after an awaited task will resume on a "random" thread.
It theoretically works by making sure to restore the CORRECT context (the original one of the pool thread) every time after executing a job, whether partially (up to the next await) or completely.
Only it didn't, at least here on #FreeBSD, and I finally understood the reason for this was that I was using #TLS (thread-local storage) to find the context to restore.
Well, most architectures store a pointer to the current thread metadata in a register. #POSIX user #context #switching saves and restores registers. I found a source claiming that the #Linux (#glibc) implementation explicitly does NOT include the register holding a thread pointer. Obviously, #FreeBSD's implementation DOES include it. POSIX doesn't have to say anything about that.
In short, avoiding TLS accesses when running with a custom context solved the crash. 
Build a fortress in the realm of the clouds. #FreeBSD #GCP #GoogleCloud #OpenSource #TLS https://cromwell-intl.com/open-source/google-freebsd-tls/?s=mc
#commonLisp #emacs #smallweb #kitten https://screwlisp.small-web.org/kitten/clkitten-parenscript-kitten-2/ #webdev
Eev (and lisp secret alien technology) made it /really/ easy and convenient to generate a kitten matching @aral's Tutorial 2: dynamic pages, https://kitten.small-web.org/tutorials/dynamic-pages/ serve it and visit it inside emacs (just press F8 over and over again and it happens on its own).
I guess you can do it too...? What do you think? How much of a Hurkle itch is this giving you Aral ;p. It seems /really/ easy to get a fancy! #tls site up like this.
Уведомления о сертификатах в феди
Логи Certificate Transparency — это публично доступные криптографически заверенные списки всех TLS-сертификатов, выданных ЦСами.
Если третье лицо или недобросовестный ЦС сгенерирует сертификат на ваш домен, получая возможность проводить митм-атаки, об этом можно почти сразу узнать из CT-логов.
Но собирать огромные списки с нескольких источников самому — не особо полезное и быстрое занятие. Для этого есть мониторы. Один из доступных без регистрации — crt.sh, только хотелось бы автоматических уведомлений, а не проверки страницы результатов поиска вручную.
Представляю вам @crtsh
Это федивёрс-бот, который регулярно проверяет CT-список crt.sh по указанным в конфиге доменам и отправляет пост с пингом админа домена, когда в списке появляется новый сертификат.
Бонус: если до конца срока действия последнего выданного сертификата осталось меньше 6 дней, бот тоже об этом сообщит.
Исходный код: https://git.dc09.ru/DarkCat09/crtsh-gts
Напишите мне в ЛС домен и феди-аккаунт для уведомлений, если хотите, чтобы я добавил его в свой инстанс бота, либо захостите crtsh-gts у себя (если что, не проверял с мастодоном, ориентировался только на апи гтса), селфхост должен быть вполне straightforward/простым-понятным.
Auto Encrypt – heads up!
In the next minor version release of Auto Encrypt¹, we’ll be moving from a hard-coded date-based certificate renewal check to using ACME Renewal Information (ARI)².
The change³ should be seamless.
If you have any concerns, now is the time to raise them :)
#AutoEncrypt #TLS #LetsEncrypt #SmallTech #SmallWeb
¹ Drop-in Node.js https server replacement that automatically provisions and renews Let’s Encrypt certificates for you. (https://codeberg.org/small-tech/auto-encrypt#auto-encrypt)
² https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
³ https://codeberg.org/small-tech/auto-encrypt/src/branch/main/CHANGELOG.md#4-4-0-2025
Goodbye Site.js, Hello Kitten!
I started working on creating a Small Web¹ server (a peer-to-peer Web server) six years ago² with Site.js.
Building Site.js was my first attempt. And it resulted in:
• Auto Encrypt (automatic Let’s Encrypt certificates): https://codeberg.org/small-tech/auto-encrypt
• Auto Encrypt Localhost (automatic localhost TLS certificates): https://codeberg.org/small-tech/auto-encrypt-localhost
• @small-tech/https (drop-in Node.js https module replacement with automatic TLS certs everywhere): https://codeberg.org/small-tech/https
• JSDB: In-process, in-memory JavaScript database that persists to append-only JavaScript logs: https://codeberg.org/small-tech/jsdb
As Site.js reached an evolutionary dead-end, and as I learned from my experiements with replicated data types that replicated data types are *not* a prerequisite for a decentralised web (actual topological decentralisation and ease of use are), I started writing a new server/platform called Kitten from scratch while still making use of the tried and tested modules listed above.
Last week, I switched over our last site using Site.js to Kitten and, with that, today I’ve sunset³ Site.js:
For its successor, please see Kitten:
If you want to support our work at the Small Technology Foundation, please consider becoming a patron:
https://small-tech.org/fund-us
¹ https://ar.al/2024/06/24/small-web-computer-science-colloquium-at-university-of-groningen/
² https://ar.al/2019/08/26/introducing-small-technology-foundation/
³ Using our instance of Look Over There!: https://look-over-there.small-web.org
Send your messages with trusted couriers only. #Linux #FreeBSD #OpenSource #TLS https://cromwell-intl.com/open-source/sendmail-ssl.html?s=mc
How can you keep your online data safe?
Whether you’re a web developer, IT professional, or simply interested in online security, our YouTube video will give you the confidence and know-how to secure your online presence using TLS SAN Certificates.
Discover how Subject Alternative Name (SAN) extensions make it possible to encrypt multiple domain names with just one TLS certificate.
visit: https://youtu.be/R5jdnZyusew for more details.
Join Wireshark core developer Sake Blok for pre-conference Class III: SSL/TLS Troubleshooting with #Wireshark — a deep dive into understanding and diagnosing TLS-based communication issues.
Sign up now and start your SharkFest journey strong: https://sharkfest.wireshark.org/sfus
Can’t wait for @jwildeboer ’s https://nerdcert.eu/ to take off and be included in the usual bundles like Debian ca-certificates as a big FU to Google, who mandate webbrowser-consumer-only key usages for certificates soon, and to Let’s Encrypt who are following Google mindlessly and try to argue people with these uses to death instead of standing up for people’s freedom and keep existing, working uses of SSL/TLS merely because those are not webbrowser-consumer uses.
